Cheapskate fraudsters hoping to run phishing scams for peanuts have themselves been hoodwinked. Security watchers have spotted a free phishing kit containing a hidden backdoor that siphons off stolen credentials from the fraudsters who use the technology.
Script kiddies are unlikely to twig that captured credit card numbers …

Par for the course

The 'script kiddies' have always been the Artful Dodgers and Oliver Twists, to the Fagans that are malware authors.

Open Source pen tools, are perhaps the exception, but it has been common practice to lace closed source exploitation tools to in some way skim the cream of other's whilst they crack.

Most of the times it is in sending back data, but it does get used to cover tracks as well. A new exploit in the wild is useful, but if you are the only one who knows about it, using it can paint a big target mark to your door. A release of a script prior to a crack attempt on a targeted system can detract attention, and make it look like an unfortunate incident as opposed to a direct attack.

There is a lot of misinformation in the security world, primarily because misinformation is yet another tool of security. Whilst obviously not all malware contains backdoors itself, the fact that a lot does tends to make it a little riskier to use the stuff. Some people will always just want to crack though, and the tools offer a quick but dangerous inroad for themselves, most of the time they will not be aware of the risk they are taking, most tools don't stop at siphoning data, they tend to backdoor the machines and leave command and control capability in the malware authors' hands.

So who wins

if I were the wiley hacker I would not hand all the card data the script gleaned to the skiddees and I might mung it a bit to keep them from ruining it's usefulness for me. One things for sure though the card holders and their banks aren't winning.